Atlassian reset user passwords for its group chat service HipChat on Monday following an incident that may have resulted in unauthorized access to a server used by the service.
The company began warning users Monday via email that as a result an attacker may have secured access to user information, including names, email addresses and hashed passwords.
Ganesh Krishnan, Atlassian’s Chief Security Officer, elaborated on the incident in a security noticed posted late Monday stressing that as far as the company can tell, no other Atlassian products were impacted. As far the company’s Security Intelligence Team can tell the breach has not resulted in the theft of financial or credit card information either.
Krishnan said Monday that HipChat hashes passwords with the password hashing function bcrypt with a random salt – something that should make cracking them more difficult, but not impossible. Krishnan said the attacker may have accessed user account information (name, email, password) of any HipChat user connected to a company specific implementations (company.hipchat.com).
He added that in some instances, room metadata, such as chat room names and topics may have been accessed. In a small sliver of instances, messages and content from those rooms may have been accessed but Krishnan says that’s only the case for less than 0.05 percent of instances.
Krishnan said the incident stemmed from a vulnerability in a popular third party library and affected a “server in the HipChat Cloud web tier.” While he didn’t disclose the name of the library, Krishnan said the way that it’s deployed usually minimizes the risk of this type of attack.
Krishnan failed to provide an exact ETA, but said the company is preparing an updated version of the server that it will push through the standard update channel.
Scott Farquhar, Atlassian’s co-founder and CEO, confirmed on Twitter Monday afternoon he was holding off on naming the vulnerable third party library, “until there is a patched version available.”
— Scott Farquhar (@scottfarkas) April 24, 2017
While the third party library hasn’t been patched yet the company believes it has limited its damage.
“We are confident we have isolated the affected systems and closed any unauthorized access,” Krishnan wrote.
That said, it’s still unclear exactly how many users may be affected by the incident. Krishnan said Monday that Atlassian invalidated passwords on all HipChat-connected user accounts; the company tweeted Monday it was only sending password reset instructions to users to those who it believed were affected.
HipChat users: If you don't receive PW reset instructions, we've found no evidence you're affected. See https://t.co/MRc0uLcOM9 (2/4)
— Atlassian HipChat (@HipChat) April 24, 2017
The company didn’t immediately return a request for comment on Tuesday but said, as many companies do after they’ve been breached, that it’s working with law enforcement investigating the incident.